From nobody Sat Feb 7 08:28:26 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1605632589; cv=none; d=zohomail.com; s=zohoarc; b=JAluwuoIpeEy/nuk9ZpnW0xwb88n6NL4zTViQtYsmaVa8IuuGAB7P1piVOWQKWU7GmnVqVtB42zrwIy148M9sRX1gk4WXF6AE4H3MNdIFlnG+ATeB1M+ncS3zR8Jm4JWyMCKOjNef+Gg1rkxXspyGooTpGAleE2zOENlK/DtfDM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1605632589; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=6Vu9xiGTHH3BTO9sLFQytCpJ53NGgJ9Rs0ziJ/b7pZQ=; b=Psjif00P/Kn/P6XgI+g7jrZweH4aSy8l9wSSc7OBFQSbUB1f5EgNmbyN60N0OE7ZL46Ma1EEGfuuSZWSfHpJ8j7r2/w0dyvushGqI2JMQASDzZO89N4ipd2nHAUtZtVl/lrWAvmFQQpzH2+yW/jQbFXCmcl16MbZvARmvz7tm60= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1605632589378499.3926306376819; Tue, 17 Nov 2020 09:03:09 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-184-U-hh2FCTPFyCBG979Y7Udw-1; Tue, 17 Nov 2020 12:02:29 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 837D76D255; Tue, 17 Nov 2020 17:02:22 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 619915B4B6; Tue, 17 Nov 2020 17:02:22 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 29B748C7A1; Tue, 17 Nov 2020 17:02:22 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AHGAl0q028044 for ; Tue, 17 Nov 2020 11:10:47 -0500 Received: by smtp.corp.redhat.com (Postfix) id 58BCF5B4B0; Tue, 17 Nov 2020 16:10:47 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-115-10.ams2.redhat.com [10.36.115.10]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9BE505B4A2; Tue, 17 Nov 2020 16:10:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1605632584; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=6Vu9xiGTHH3BTO9sLFQytCpJ53NGgJ9Rs0ziJ/b7pZQ=; b=AiBObzAO8beCyY+JeQLRvz6T2c3OFJz4tYqFttU3OeIX1PEPF7OHsNPEfijZuK/O6FmQIX nerIbwC5FgJDi3UKMZABA8GDE10tUDIk1yqRp0R8s6UG/x8Lel7dVoyzdRV8PXTGuGV5J+ gCOMmc1dRC4CmmInWbQsnVaqqJjWwLg= X-MC-Unique: U-hh2FCTPFyCBG979Y7Udw-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH 12/16] docs: add manpage for virtsecretd Date: Tue, 17 Nov 2020 16:10:23 +0000 Message-Id: <20201117161027.210543-13-berrange@redhat.com> In-Reply-To: <20201117161027.210543-1-berrange@redhat.com> References: <20201117161027.210543-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) This is an adaptation of the libvirtd manpage. Signed-off-by: Daniel P. Berrang=C3=A9 --- docs/manpages/index.rst | 1 + docs/manpages/meson.build | 1 + docs/manpages/virtsecretd.rst | 214 ++++++++++++++++++++++++++++++++++ 3 files changed, 216 insertions(+) create mode 100644 docs/manpages/virtsecretd.rst diff --git a/docs/manpages/index.rst b/docs/manpages/index.rst index 67357419eb..fb62dc86a2 100644 --- a/docs/manpages/index.rst +++ b/docs/manpages/index.rst @@ -24,6 +24,7 @@ These daemons provide functionality to a single libvirt d= river * `virtnodedevd(8) `__ - libvirt host device management= daemon * `virtnwfilterd(8) `__ - libvirt network filter manag= ement daemon * `virtqemud(8) `__ - libvirt QEMU management daemon +* `virtsecretd(8) `__ - libvirt secret data management d= aemon =20 Tools =3D=3D=3D=3D=3D diff --git a/docs/manpages/meson.build b/docs/manpages/meson.build index e08365b780..1476722bde 100644 --- a/docs/manpages/meson.build +++ b/docs/manpages/meson.build @@ -32,6 +32,7 @@ docs_man_files =3D [ { 'name': 'virtnwfilterd', 'section': '8', 'install': conf.has('WITH_NWF= ILTER') }, { 'name': 'virtproxyd', 'section': '8', 'install': conf.has('WITH_LIBVIR= TD') }, { 'name': 'virtqemud', 'section': '8', 'install': conf.has('WITH_QEMU') = }, + { 'name': 'virtsecretd', 'section': '8', 'install': conf.has('WITH_SECRE= TS') }, ] =20 foreach name : keycode_list diff --git a/docs/manpages/virtsecretd.rst b/docs/manpages/virtsecretd.rst new file mode 100644 index 0000000000..2fa01ef147 --- /dev/null +++ b/docs/manpages/virtsecretd.rst @@ -0,0 +1,214 @@ +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +virtsecretd +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +------------------------------------- +libvirt secret data management daemon +------------------------------------- + +:Manual section: 8 +:Manual group: Virtualization Support + +.. contents:: + +SYNOPSIS +=3D=3D=3D=3D=3D=3D=3D=3D + +``virtsecretd`` [*OPTION*]... + + +DESCRIPTION +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The ``virtsecretd`` program is a server side daemon component of the libvi= rt +virtualization management system. + +It is one of a collection of modular daemons that replace functionality +previously provided by the monolithic ``libvirtd`` daemon. + +This daemon runs on virtualization hosts to provide management for secret = data. + +The ``virtsecretd`` daemon only listens for requests on a local Unix domain +socket. Remote off-host access and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. + +Restarting ``virtsecretd`` does not interrupt running guests. Guests conti= nue to +operate and changes in their state will generally be picked up automatical= ly +during startup. None the less it is recommended to avoid restarting with +running guests whenever practical. + + +SYSTEM SOCKET ACTIVATION +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The ``virtsecretd`` daemon is capable of starting in two modes. + +In the traditional mode, it will create and listen on UNIX sockets itself. + +In socket activation mode, it will rely on systemd to create and listen +on the UNIX sockets and pass them as pre-opened file descriptors. In this +mode most of the socket related config options in +``/etc/libvirt/virtsecretd.conf`` will no longer have any effect. + +Socket activation mode is generally the default when running on a host +OS that uses systemd. To revert to the traditional mode, all the socket +unit files must be masked: + +:: + + $ systemctl mask virtsecretd.socket virtsecretd-ro.socket \ + virtsecretd-admin.socket + + +OPTIONS +=3D=3D=3D=3D=3D=3D=3D + +``-h``, ``--help`` + +Display command line help usage then exit. + +``-d``, ``--daemon`` + +Run as a daemon & write PID file. + +``-f``, ``--config *FILE*`` + +Use this configuration file, overriding the default value. + +``-p``, ``--pid-file *FILE*`` + +Use this name for the PID file, overriding the default value. + +``-t``, ``--timeout *SECONDS*`` + +Exit after timeout period (in seconds), provided there are neither any cli= ent +connections nor any running domains. + +``-v``, ``--verbose`` + +Enable output of verbose messages. + +``--version`` + +Display version information then exit. + + +SIGNALS +=3D=3D=3D=3D=3D=3D=3D + +On receipt of ``SIGHUP`` ``virtsecretd`` will reload its configuration. + + +FILES +=3D=3D=3D=3D=3D + +When run as *root* +------------------ + +* ``@SYSCONFDIR@/libvirt/virtsecretd.conf`` + +The default configuration file used by ``virtsecretd``, unless overridden = on the +command line using the ``-f`` | ``--config`` option. + +* ``@RUNSTATEDIR@/libvirt/virtsecretd-sock`` +* ``@RUNSTATEDIR@/libvirt/virtsecretd-sock-ro`` +* ``@RUNSTATEDIR@/libvirt/virtsecretd-admin-sock`` + +The sockets ``virtsecretd`` will use. + +The TLS **Server** private key ``virtsecretd`` will use. + +* ``@RUNSTATEDIR@/virtsecretd.pid`` + +The PID file to use, unless overridden by the ``-p`` | ``--pid-file`` opti= on. + + +When run as *non-root* +---------------------- + +* ``$XDG_CONFIG_HOME/libvirt/virtsecretd.conf`` + +The default configuration file used by ``virtsecretd``, unless overridden = on the +command line using the ``-f``|``--config`` option. + +* ``$XDG_RUNTIME_DIR/libvirt/virtsecretd-sock`` +* ``$XDG_RUNTIME_DIR/libvirt/virtsecretd-admin-sock`` + +The sockets ``virtsecretd`` will use. + +* ``$XDG_RUNTIME_DIR/libvirt/virtsecretd.pid`` + +The PID file to use, unless overridden by the ``-p``|``--pid-file`` option. + + +If ``$XDG_CONFIG_HOME`` is not set in your environment, ``virtsecretd`` wi= ll use +``$HOME/.config`` + +If ``$XDG_RUNTIME_DIR`` is not set in your environment, ``virtsecretd`` wi= ll use +``$HOME/.cache`` + + +EXAMPLES +=3D=3D=3D=3D=3D=3D=3D=3D + +To retrieve the version of ``virtsecretd``: + +:: + + # virtsecretd --version + virtsecretd (libvirt) @ + + +To start ``virtsecretd``, instructing it to daemonize and create a PID fil= e: + +:: + + # virtsecretd -d + # ls -la @RUNSTATEDIR@/virtsecretd.pid + -rw-r--r-- 1 root root 6 Jul 9 02:40 @RUNSTATEDIR@/virtsecretd.pid + + +BUGS +=3D=3D=3D=3D + +Please report all bugs you discover. This should be done via either: + +#. the mailing list + + `https://libvirt.org/contact.html `_ + +#. the bug tracker + + `https://libvirt.org/bugs.html `_ + +Alternatively, you may report bugs to your software distributor / vendor. + + +AUTHORS +=3D=3D=3D=3D=3D=3D=3D + +Please refer to the AUTHORS file distributed with libvirt. + + +COPYRIGHT +=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Copyright (C) 2006-2020 Red Hat, Inc., and the authors listed in the +libvirt AUTHORS file. + + +LICENSE +=3D=3D=3D=3D=3D=3D=3D + +``virtsecretd`` is distributed under the terms of the GNU LGPL v2.1+. +This is free software; see the source for copying conditions. There +is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR +PURPOSE + + +SEE ALSO +=3D=3D=3D=3D=3D=3D=3D=3D + +virsh(1), libvirtd(8), +`https://www.libvirt.org/daemons.html `_, +`https://www.libvirt.org/drvsecret.html `_ --=20 2.28.0